Hackers Employ New ClickFix Captcha Technique to Deliver Ransomware

A sophisticated social engineering technique known as ClickFix has emerged, leveraging fake CAPTCHA verification processes to deceive users into executing malicious commands.

This method exploits the trust users have in CAPTCHA systems, which are typically used to verify human identity online.

The ClickFix technique involves guiding users through a series of seemingly harmless keystrokes that ultimately lead to the installation of malware, including infostealers, ransomware, and banking trojans like Qakbot.

Exploiting User Trust

The ClickFix attack begins with a deceptive pop-up on a compromised or malicious website, mimicking a standard bot verification message.

Users are prompted to complete three simple steps to confirm their identity.

These steps involve pressing the Windows Key + R to open the Run dialog box, followed by pressing CTRL + V to paste preloaded malicious code from the website’s virtual clipboard into the Run prompt.

Finally, pressing Enter executes the pasted command, compromising the device by downloading and executing malicious code via Windows utilities like mshta.exe.

According to DarkAtlas, this technique preys on human behavior, exploiting trust in common online interactions to deploy malicious payloads without raising suspicion.

Qakbot and Other Malware

Qakbot, a banking trojan first discovered in 2008, has evolved into a versatile malware capable of delivering additional threats like ransomware.

It has been used as an initial access broker, facilitating lateral movement within networks and deploying second-stage infections.

The integration of Qakbot with the ClickFix technique allows attackers to bypass traditional security measures by leveraging user interaction to execute malicious commands.

This approach makes it challenging for automated security solutions to detect and mitigate the threat.

Attackers using the ClickFix technique often employ obfuscation methods to conceal the true nature of the malicious payload.

This includes using encrypted files and dynamically generated URLs, making it difficult for security solutions to blacklist or detect malicious activity effectively.

For instance, attackers can create an unlimited number of unique URLs for malware distribution, complicating efforts to trace and analyze the threat. Using PHP scripts as intermediaries further adds layers of obfuscation, making it harder for defenders to identify the source of the attack.

Currently, efforts are underway to disrupt the malware delivery infrastructure by taking down associated domains and removing malicious content.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free